Blog

Mar 27

Apple Says Latest WikiLeaks CIA Attack Tool Dump No Threat

WikiLeaks has released a second batch of CIA attack tools, dubbed Dark Matter, which includes malware designed to exploit Mac OS X and iOS devices. But Apple contends the attacks target vulnerabilities in its software that have long been patched and that users are not at risk.

WikiLeaks released Dark Matter on March 23. It says the tools, which were developed or refined by the CIA's Embedded Development Branch, demonstrate a range of techniques the CIA uses to infect Macs and iPhones, for example, via EFI/UEFI and firmware attacks. WikiLeaks notes that the attack tools can infect the Mac OS X firmware, meaning that the attack code will persist even if the system gets rebooted.

Apple, however, claims that the vulnerabilities described in the Dark Matter dump are outdated and pose no threat to anyone using recent generations of its devices.

"Based on our initial analysis, the alleged iPhone vulnerability affected iPhone 3G only and was fixed in 2009 when iPhone 3GS was released," Apple says in a March 23 statement. "Additionally, our preliminary assessment shows the alleged Mac vulnerabilities were previously fixed in all Macs launched after 2013."

WikiLeaks, however, has criticized Apple's response as being "duplicitous," saying that EFI-related problems pose a "systemic" threat that attackers could continue to exploit.

The CIA's 'Sonic Screwdriver'

Apple-oriented attack tools described in the Dark Matter release include:

Sonic Screwdriver: A project that leaked documentation states is a "mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting." This could be used to force a system to install an operating system contained on a USB key, for example, "even when a firmware password is enabled," although it also details a version that can be installed in the modified firmware of an Apple Thunderbolt to Ethernet adapter. Such software would be useful for black bag operations or quickly infecting a laptop with malware - for example by customs agents at a border checkpoint during a customs check - or for otherwise getting malware onto a target's system.

DarkSeaSkies: "An implant [malware] that persists in the EFI firmware of an Apple MacBook Air computer" and consists of the "DarkMatter" EFI implant, "SeaPea" kernel-space implant, and "NightSkies" user-space implant.

Triton: Mac OS X malware, including a "Dark Mallet" infector and an EFI-persistent version called "DerStarke."

NightSkies 1.2: A "beacon/loader/implant tool" designed to be installed on iPhones, which could be used to track them.

Apple Declines to Negotiate with WikiLeaks

WikiLeaks says it's attempted to make contact with Apple, Google and Microsoft to share non-redacted details of attack tools that target their software or hardware. But all have reportedly refused WikiLeaks' entreaties, saying it should use existing bug-reporting channels.

"We have not negotiated with WikiLeaks for any information. We have given them instructions to submit any information they wish through our normal process under our standard terms," Apple says in a statement. "Thus far, we have not received any information from them that isn't in the public domain. We are tireless defenders of our users' security and privacy, but we do not condone theft or coordinate with those that threaten to harm our users."

To date, WikiLeaks says it's released just a fraction of the CIA hacking tools that it's gotten its hands on, which cover a period from 2013 to 2016. It released a first batch of materials earlier this month, but said it had redacted numerous exploits, preferring instead to help affected organizations patch their software first (see 7 Facts: 'Vault 7' CIA Hacking Tool Dump by WikiLeaks).

WikiLeaks' Conditions

The WikiLeaks offer to work with companies on software vulnerability issues comes with some conditions.

"All that is in our terms is standard industry terms - you've got 90 days [to issue a fix], we need a secure point of contact, encryption keys to make sure that when we communicate this information to you, other people can't get at it," Assange said in a March 23 online press conference. "This is a high security, very delicate business, it's not something that involves just throwing out emails to random parties within an organization."

Assange said WikiLeaks reached out on March 12 to Apple, Google, Microsoft and Mozilla, offering to share exploit information. He adds that a security engineer at Cisco "proactively" reached out to WikiLeaks, and noted that the networking giant was able to identify a telnet flaw in its firmware, affecting more than 300 types of devices, based solely on a partially redacted description of the exploit contained in the Vault 7 release. "That description was enough for Cisco to work out what it was," Assange said (see Cisco Finds Zero-Day Vulnerability in CIA Attack Tool Dump).

Timeline

In his March 23 press conference, Assange offered the following timeline relating to WikiLeaks' communications with technology firms:

March 12: WikiLeaks reached out to Apple, Google, Microsoft and Mozilla.

March 12: Mozilla replied to WikiLeaks, agreeing to its terms. The aforementioned Cisco engineer also reached out.

March 15: MikroTek contacted WikiLeaks; it makes a controller that's widely used in VoIP equipment.March 17: Mozilla replied, asked for more files.

March 18: WikiLeaks told Mozilla it's looking for the information.

March 20: First contact from Microsoft "not agreeing to the standard terms, but pointing to their standard procedures," Assange said, including providing a PGP email key. Google also replied the same day, pointing to their standard procedures, and including a PGP email key.

It's Complicated

Working with WikiLeaks, however, carries some potential complications, as noted by Apple. Firms in the United States might be particularly wary about handling potentially still-classified intelligence documents, legal experts say.

Then there's WikiLeaks' potential relationship with either Russian intelligence, or Russian geopolitical interests, including interference in the 2016 U.S. president elections. In the wake of those attacks, the U.S. intelligence community called WikiLeaks a tool of "Russian-directed efforts" against the United States by serving as an outlet for Russian disinformation campaigns. In particular, WikiLeaks published information stolen by the "Guccifer 2.0 online persona," which intelligence agencies say is a front for Russian intelligence, including emails for Democratic Party officials, among others.

Assange has brushed off any suggestions that he or his organization have been co-opted. Responding to a question during his Dark Matter press conference about why WikiLeaks' opted - timing-wise - to release the Vault 7 information earlier this month, Assange criticized the question as being "politicized" and labeled it an attempt to create a "conspiracy theory about the timing, to distract from the content." He said the timing was determined solely by the amount of time it took the organization to review and coordinate research into the Vault 7 materials in an operationally secure manner.